package integration.rbacapi.api.v2;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.entities.ScopeRoleBindingMapping;
import io.confluent.rbacapi.retrofit.v2.V2RbacRestApi;
import io.confluent.rbacapi.retrofit.v2.V2RbacRetrofitFactory;
import io.confluent.rbacapi.utils.ClusterType;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.testing.ldap.client.ExampleComLdapCrud;
import io.confluent.testing.ldap.client.LdapCrud;
import io.confluent.testing.ldap.server.LdapServer;
import java.net.ConnectException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Utils;
import org.awaitility.Awaitility;
import org.junit.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
import retrofit2.Call;
import retrofit2.Response;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;

@Test(groups = {"classParallelTests"})
/* loaded from: input_file:integration/rbacapi/api/v2/LookupTest.class */
public class LookupTest {
    public static final String GROUP_TYPE = "Group";
    public static final String USER_ADMINISTRATOR = "administrator";
    public static final String GROUP_ADMINS = "admins";
    public static final String USER_ADMINISTRATOR_IN_GROUP = "administrator_in_group";
    public static final String GROUP_INVESTING_DEVS = "investing_devs";
    public static final String USER_INVESTING_DEVELOPER = "investing_developer";
    public static final String GROUP_PAYROLL_DEVS = "payroll_devs";
    public static final String USER_PAYROLL_DEVELOPER = "payroll_developer";
    public static final String USER_INVESTING_PAYROLL_DEVELOPER = "investing_payroll_developer";
    public static final String USER_SPECIAL_DEVELOPER = "special_developer";
    public static final String USER_INVESTING_SPECIAL_DEVELOPER = "investing_special_developer";
    private static final String BROKER_USER = "kafka";
    private static final Scope EXTERNAL_KAFKA_CLUSTER_SCOPE = newScope("kafka1").build();
    private static final Scope EXTERNAL_KSQL_CLUSTER_SCOPE = newScope("kafka1").withCluster("ksql-cluster", "ksql1").build();
    private static final Scope EXTERNAL_CONNECT_CLUSTER_SCOPE = newScope("kafka1").withCluster("connect-cluster", "connect1").build();
    private static final Scope EXTERNAL_SR_CLUSTER_SCOPE = newScope("kafka1").withCluster("schema-registry-cluster", "sr1").build();
    private static LdapServer ldapServer;
    private static LdapCrud ldapCrud;
    private static RbacClusters rbacClusters;
    private static int actualMdsPort;
    private static MdsScope kafkaClusterScope;
    private static V2RbacRestApi userAdminRbacRestApi;

    @BeforeClass
    public static void setupClass() throws Exception {
        ldapServer = LdapServer.defaultServerNoUsers().start();
        int actualPort = ldapServer.actualPort();
        ldapCrud = new ExampleComLdapCrud(actualPort);
        RbacClusters.Config justLDAP = KafkaConfigTool.justLDAP(actualPort, "kafka");
        justLDAP.overrideMetadataBrokerConfig("confluent.metadata.server.api.flavor", "CC");
        rbacClusters = new RbacClusters(justLDAP);
        kafkaClusterScope = new MdsScope(Scope.kafkaClusterScope(rbacClusters.kafkaClusterId()));
        actualMdsPort = MdsTestUtil.lookupActualMdsPort(rbacClusters);
        userAdminRbacRestApi = setupUsersAndGroups(rbacClusters);
        Awaitility.given().ignoreException(ConnectException.class).await().atMost(30L, TimeUnit.SECONDS).until(() -> {
            return Boolean.valueOf(userAdminRbacRestApi.getRoleNames().execute().isSuccessful());
        });
    }

    @AfterClass
    public static void teardownClass() {
        ldapServer.stop();
        rbacClusters.shutdown();
        MdsTestUtil.releasePort(actualMdsPort);
    }

    private static String userPrincipalName(String str) {
        return new KafkaPrincipal("User", str).toString();
    }

    private static String groupPrincipalName(String str) {
        return new KafkaPrincipal("Group", str).toString();
    }

    private static Scope.Builder newScope(String str) {
        return new Scope.Builder(new String[0]).withKafkaCluster(str);
    }

    public static V2RbacRestApi setupUsersAndGroups(RbacClusters rbacClusters2) throws Exception {
        ldapCrud.createUsers(Arrays.asList("administrator", "administrator_in_group", "investing_developer", "payroll_developer", "investing_payroll_developer", "special_developer", "investing_special_developer"));
        ldapCrud.createGroups(Arrays.asList("admins", "investing_devs", "payroll_devs"));
        ldapCrud.groupUsers("admins", new String[]{"administrator_in_group"});
        ldapCrud.groupUsers("investing_devs", new String[]{"investing_developer", "investing_payroll_developer", "investing_special_developer"});
        ldapCrud.groupUsers("payroll_devs", new String[]{"payroll_developer", "investing_payroll_developer"});
        MdsScope mdsScope = new MdsScope(Scope.kafkaClusterScope(rbacClusters2.kafkaClusterId()));
        rbacClusters2.assignRole("User", "administrator", "UserAdmin", mdsScope.scope(), Collections.emptySet());
        rbacClusters2.assignRole("User", "administrator", "UserAdmin", EXTERNAL_KAFKA_CLUSTER_SCOPE, Collections.emptySet());
        rbacClusters2.assignRole("User", "administrator", "UserAdmin", EXTERNAL_KSQL_CLUSTER_SCOPE, Collections.emptySet());
        rbacClusters2.assignRole("User", "administrator", "UserAdmin", EXTERNAL_CONNECT_CLUSTER_SCOPE, Collections.emptySet());
        rbacClusters2.assignRole("User", "administrator", "UserAdmin", EXTERNAL_SR_CLUSTER_SCOPE, Collections.emptySet());
        V2RbacRestApi build = V2RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, actualMdsPort, "administrator", "administrator");
        rbacClusters2.assignRole("User", "administrator", "ResourceOwner", mdsScope.scope(), Collections.singleton(new ResourcePattern("Topic", "*", PatternType.LITERAL)));
        rbacClusters2.assignRole("Group", "admins", "ResourceOwner", mdsScope.scope(), Collections.singleton(new ResourcePattern("Topic", "*", PatternType.LITERAL)));
        rbacClusters2.assignRole("Group", "investing_devs", "DeveloperRead", mdsScope.scope(), Collections.singleton(new ResourcePattern("Topic", "investing-", PatternType.PREFIXED)));
        rbacClusters2.assignRole("Group", "investing_devs", "DeveloperRead", EXTERNAL_KSQL_CLUSTER_SCOPE, Collections.singleton(new ResourcePattern("KsqlCluster", "*", PatternType.LITERAL)));
        rbacClusters2.assignRole("Group", "payroll_devs", "DeveloperRead", mdsScope.scope(), Collections.singleton(new ResourcePattern("Topic", "payroll-", PatternType.PREFIXED)));
        rbacClusters2.assignRole("Group", "payroll_devs", "DeveloperRead", EXTERNAL_CONNECT_CLUSTER_SCOPE, Collections.singleton(new ResourcePattern("Connector", "*", PatternType.LITERAL)));
        rbacClusters2.assignRole("User", "special_developer", "DeveloperRead", mdsScope.scope(), (Set) Stream.of((Object[]) new ResourcePattern[]{new ResourcePattern("Topic", "billing-invoices", PatternType.LITERAL), new ResourcePattern("Topic", "payroll-texas", PatternType.LITERAL), new ResourcePattern("Topic", "investing-stocks", PatternType.LITERAL), new ResourcePattern("Topic", "investing-bonds", PatternType.LITERAL)}).collect(Collectors.toSet()));
        rbacClusters2.assignRole("User", "special_developer", "DeveloperRead", EXTERNAL_SR_CLUSTER_SCOPE, Collections.singleton(new ResourcePattern("Subject", "*", PatternType.LITERAL)));
        rbacClusters2.assignRole("User", "investing_special_developer", "DeveloperRead", mdsScope.scope(), (Set) Stream.of(new ResourcePattern("Topic", "billing-invoices", PatternType.LITERAL)).collect(Collectors.toSet()));
        rbacClusters2.assignRole("User", "investing_special_developer", "DeveloperRead", EXTERNAL_KSQL_CLUSTER_SCOPE, Collections.singleton(new ResourcePattern("KsqlCluster", "*", PatternType.LITERAL)));
        rbacClusters2.assignRole("User", "investing_special_developer", "DeveloperRead", EXTERNAL_SR_CLUSTER_SCOPE, Collections.singleton(new ResourcePattern("Subject", "*", PatternType.LITERAL)));
        return build;
    }

    private void verifyLookupReturnedPrincipalNames(Call<List<String>> call, Set<String> set) throws Exception {
        Response execute = call.execute();
        Assert.assertEquals(200L, execute.code());
        Assert.assertEquals(set, new HashSet((List) execute.body()));
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(parallel = true)
    public static Object[][] noResourceLookups() {
        return new Object[]{new Object[]{"UserAdmin", Utils.mkSet(new String[]{userPrincipalName("administrator")})}, new Object[]{"DeveloperWrite", Utils.mkSet(new Object[0])}, new Object[]{"DeveloperRead", Utils.mkSet(new String[]{userPrincipalName("special_developer"), userPrincipalName("investing_special_developer"), groupPrincipalName("payroll_devs"), groupPrincipalName("investing_devs")})}};
    }

    @Test(dataProvider = "noResourceLookups")
    public void test_noResourceLookups(String str, Set<String> set) throws Exception {
        verifyLookupReturnedPrincipalNames(userAdminRbacRestApi.getPrincipalsWithRole(str, kafkaClusterScope), set);
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(parallel = true)
    public static Object[][] topicLookups() {
        return new Object[]{new Object[]{"DeveloperRead", "billing-invoices", Utils.mkSet(new String[]{userPrincipalName("special_developer"), userPrincipalName("investing_special_developer")})}, new Object[]{"DeveloperRead", "investing-gold", Utils.mkSet(new String[]{groupPrincipalName("investing_devs")})}, new Object[]{"DeveloperRead", "investing-stocks", Utils.mkSet(new String[]{userPrincipalName("special_developer"), groupPrincipalName("investing_devs")})}, new Object[]{"DeveloperRead", "investing-", Utils.mkSet(new String[]{groupPrincipalName("investing_devs")})}, new Object[]{"DeveloperRead", "investing", Utils.mkSet(new Object[0])}, new Object[]{"ResourceOwner", "billing-paid", Utils.mkSet(new String[]{userPrincipalName("administrator"), groupPrincipalName("admins")})}, new Object[]{"DeveloperRead", "billing-paid", Utils.mkSet(new Object[0])}};
    }

    @Test(dataProvider = "topicLookups")
    public void test_topicLookups(String str, String str2, Set<String> set) throws Exception {
        verifyLookupReturnedPrincipalNames(userAdminRbacRestApi.getPrincipalsWithRoleOnResource(str, "Topic", str2, kafkaClusterScope), set);
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(parallel = true)
    public static Object[][] resourcesForPrincipal() {
        return new Object[]{new Object[]{"investing_payroll_developer", Utils.mkSet(new String[]{groupPrincipalName("payroll_devs"), groupPrincipalName("investing_devs")}), 2}, new Object[]{"special_developer", Utils.mkSet(new String[]{userPrincipalName("special_developer")}), 4}, new Object[]{"investing_special_developer", Utils.mkSet(new String[]{userPrincipalName("investing_special_developer"), groupPrincipalName("investing_devs")}), 2}};
    }

    @Test(dataProvider = "resourcesForPrincipal")
    public void test_getResourcesForPrincipal(String str, Set<String> set, Integer num) throws Exception {
        Response execute = userAdminRbacRestApi.getResourcesForPrincipal(userPrincipalName(str), kafkaClusterScope).execute();
        Assert.assertEquals(200L, execute.code());
        Map map = (Map) execute.body();
        Assert.assertEquals(set, map.keySet());
        for (String str2 : map.keySet()) {
            Response execute2 = userAdminRbacRestApi.getRoleNamesForPrincipal(str2, kafkaClusterScope).execute();
            Assert.assertEquals(200L, execute2.code());
            for (String str3 : (List) execute2.body()) {
                Response execute3 = userAdminRbacRestApi.getRoleResourcesForPrincipal(str2, str3, kafkaClusterScope).execute();
                Assert.assertEquals(200L, execute3.code());
                Assert.assertEquals((List) execute3.body(), ((Map) map.get(str2)).get(str3));
            }
        }
        Assert.assertEquals(num.longValue(), map.values().stream().mapToInt(map2 -> {
            return map2.values().stream().mapToInt((v0) -> {
                return v0.size();
            }).sum();
        }).sum());
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    public static Object[][] rolebindingsForAllKnownClusters() {
        return new Object[]{new Object[]{"investing_developer", ImmutableMap.of(EXTERNAL_KSQL_CLUSTER_SCOPE, Utils.mkSet(new String[]{userPrincipalName("investing_developer")}))}, new Object[]{"payroll_developer", ImmutableMap.of(EXTERNAL_CONNECT_CLUSTER_SCOPE, Utils.mkSet(new String[]{userPrincipalName("payroll_developer")}))}, new Object[]{"special_developer", ImmutableMap.of(EXTERNAL_SR_CLUSTER_SCOPE, Utils.mkSet(new String[]{userPrincipalName("special_developer")}))}, new Object[]{"investing_special_developer", ImmutableMap.of(EXTERNAL_KSQL_CLUSTER_SCOPE, Utils.mkSet(new String[]{userPrincipalName("investing_special_developer")}), EXTERNAL_SR_CLUSTER_SCOPE, Utils.mkSet(new String[]{userPrincipalName("administrator")}))}};
    }

    @Test(dataProvider = "rolebindingsForAllKnownClusters")
    public void test_rolebindingsForAllKnownClusters(String str, Map<Scope, Map<MdsScope, Set<String>>> map) throws Exception {
        Response execute = V2RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, actualMdsPort, str, str).rolebindingsForKnownClusters(userPrincipalName(str), null).execute();
        Assert.assertEquals(200L, execute.code());
        HashSet hashSet = new HashSet(map.keySet());
        hashSet.add(kafkaClusterScope.scope());
        List<ScopeRoleBindingMapping> list = (List) execute.body();
        Assert.assertEquals(String.format("Expected %s scope(s) for '%s' principal, but got %s scope(s)", Integer.valueOf(hashSet.size()), str, Integer.valueOf(list.size())), hashSet.size(), list.size());
        for (ScopeRoleBindingMapping scopeRoleBindingMapping : list) {
            Scope scope = scopeRoleBindingMapping.scope().scope();
            Assert.assertTrue(String.format("Returned %s scope not expected for '%s' principal", scope, str), hashSet.contains(scope));
            if (scope == kafkaClusterScope.scope()) {
                Assert.assertEquals(map.get(scope), scopeRoleBindingMapping.rolebindings().keySet());
            }
        }
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(parallel = true)
    public static Object[][] rolebindingsForSpecificClusterType() {
        return new Object[]{new Object[]{"investing_developer", ClusterType.KSQL_CLUSTER, ImmutableSet.of(EXTERNAL_KSQL_CLUSTER_SCOPE)}, new Object[]{"payroll_developer", ClusterType.CONNECT_CLUSTER, ImmutableSet.of(EXTERNAL_CONNECT_CLUSTER_SCOPE)}, new Object[]{"special_developer", ClusterType.SCHEMA_REGISTRY_CLUSTER, ImmutableSet.of(EXTERNAL_SR_CLUSTER_SCOPE)}, new Object[]{"investing_special_developer", ClusterType.KAFKA_CLUSTER, Collections.emptySet()}};
    }

    @Test(dataProvider = "rolebindingsForSpecificClusterType")
    public void test_rolebindingsForSpecificClusterType(String str, ClusterType clusterType, Set<Scope> set) throws Exception {
        Response execute = V2RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, actualMdsPort, str, str).rolebindingsForKnownClusters(userPrincipalName(str), clusterType).execute();
        Assert.assertEquals(200L, execute.code());
        HashSet hashSet = new HashSet(set);
        if (clusterType == ClusterType.KAFKA_CLUSTER) {
            hashSet.add(kafkaClusterScope.scope());
        }
        List list = (List) execute.body();
        Assert.assertEquals(String.format("Expected %s scope(s) for '%s' principal, but got %s scope(s)", Integer.valueOf(hashSet.size()), str, Integer.valueOf(list.size())), hashSet.size(), list.size());
        Iterator it = list.iterator();
        while (it.hasNext()) {
            Scope scope = ((ScopeRoleBindingMapping) it.next()).scope().scope();
            Assert.assertTrue(String.format("Returned %s scope not expected for '%s' principal", scope, str), hashSet.contains(scope));
        }
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(parallel = true)
    public static Object[][] rolebindingsForFullyQualifiedCluster() {
        return new Object[]{new Object[]{"investing_developer", EXTERNAL_KSQL_CLUSTER_SCOPE, EXTERNAL_KSQL_CLUSTER_SCOPE}, new Object[]{"payroll_developer", EXTERNAL_CONNECT_CLUSTER_SCOPE, EXTERNAL_CONNECT_CLUSTER_SCOPE}, new Object[]{"special_developer", EXTERNAL_SR_CLUSTER_SCOPE, EXTERNAL_SR_CLUSTER_SCOPE}, new Object[]{"investing_special_developer", EXTERNAL_KAFKA_CLUSTER_SCOPE, new Scope.Builder(new String[0]).build()}};
    }

    @Test(dataProvider = "rolebindingsForFullyQualifiedCluster")
    public void test_rolebindingsForFullyQualifiedCluster(String str, Scope scope, Scope scope2) throws Exception {
        Response execute = V2RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, actualMdsPort, str, str).rolebindingsForFullyQualifiedCluster(userPrincipalName(str), new MdsScope(scope)).execute();
        Assert.assertEquals(200L, execute.code());
        ScopeRoleBindingMapping scopeRoleBindingMapping = (ScopeRoleBindingMapping) execute.body();
        Assert.assertEquals(String.format("Returned %s scope not expected for '%s' principal", scopeRoleBindingMapping.scope().scope(), str), scope2, scopeRoleBindingMapping.scope().scope());
    }

    @Test(dataProvider = "resourcesForPrincipal")
    public void test_getResourcesForSelf(String str, Set<String> set, Integer num) throws Exception {
        Response execute = V2RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, actualMdsPort, str, str).getResourcesForPrincipal(userPrincipalName(str), kafkaClusterScope).execute();
        Assert.assertEquals(200L, execute.code());
        Map map = (Map) execute.body();
        Assert.assertEquals(set, map.keySet());
        for (String str2 : map.keySet()) {
            for (String str3 : (List) userAdminRbacRestApi.getRoleNamesForPrincipal(str2, kafkaClusterScope).execute().body()) {
                Assert.assertEquals((List) userAdminRbacRestApi.getRoleResourcesForPrincipal(str2, str3, kafkaClusterScope).execute().body(), ((Map) map.get(str2)).get(str3));
            }
        }
        Assert.assertEquals(num.longValue(), map.values().stream().mapToInt(map2 -> {
            return map2.values().stream().mapToInt((v0) -> {
                return v0.size();
            }).sum();
        }).sum());
    }

    @Test(dataProvider = "resourcesForPrincipal")
    public void test_getResourcesForOthersBlocked(String str, Set<String> set, Integer num) throws Exception {
        Assert.assertEquals(403L, V2RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, actualMdsPort, "payroll_developer", "payroll_developer").getResourcesForPrincipal(userPrincipalName(str), kafkaClusterScope).execute().code());
    }

    @Test
    public void test_getResourcesForGroupBlocked() throws Exception {
        Assert.assertEquals(403L, V2RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, actualMdsPort, "payroll_developer", "payroll_developer").getResourcesForPrincipal("Group:payroll_devs", kafkaClusterScope).execute().code());
    }

    @Test
    public void test_getResourcesForGroupAllowedForAdmin() throws Exception {
        Response execute = V2RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, actualMdsPort, "administrator", "administrator").getResourcesForPrincipal("Group:payroll_devs", kafkaClusterScope).execute();
        Assert.assertEquals(200L, execute.code());
        Assert.assertEquals(ImmutableMap.of("Group:payroll_devs", ImmutableMap.of("DeveloperRead", ImmutableList.of(new ResourcePattern("Topic", "payroll-", PatternType.PREFIXED)))), execute.body());
    }
}
